priorities: Added internal option to allow key usage violations in server side

4 files changed, 8 insertions, 1 deletions

diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c
index c80bb071f8..54ec023a9e 100644
--- a/lib/gnutls_cert.c
+++ b/lib/gnutls_cert.c
@@ -267,7 +267,8 @@ _gnutls_selected_cert_supported_kx(gnutls_session_t session,
 		pk = _gnutls_map_pk_get_pk(kx);
 		if (pk == cert_pk) {
 			/* then check key usage */
-			if (_gnutls_check_key_usage(cert, kx) == 0) {
+			if (_gnutls_check_key_usage(cert, kx) == 0 ||
+			    unlikely(session->internals.priorities.allow_server_key_usage_violation != 0)) {
 				alg[i] = kx;
 				i++;
 
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index 3f327943e0..848acfec86 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -663,6 +663,7 @@ struct gnutls_priority_st {
 	bool min_record_version;
 	bool server_precedence;
 	bool allow_key_usage_violation;
+	bool allow_server_key_usage_violation; /* for test suite purposes only */
 	bool allow_wrong_pms;
 	bool no_tickets;
 	bool no_etm;
diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c
index 69cf4d7b6e..652da6722e 100644
--- a/lib/gnutls_priority.c
+++ b/lib/gnutls_priority.c
@@ -712,6 +712,10 @@ static void enable_compat(gnutls_priority_t c)
 {
 	ENABLE_COMPAT(c);
 }
+static void enable_server_key_usage_violations(gnutls_priority_t c)
+{
+	c->allow_server_key_usage_violation = 1;
+}
 static void enable_dumbfw(gnutls_priority_t c)
 {
 	c->dumbfw = 1;
diff --git a/lib/priority_options.gperf b/lib/priority_options.gperf
index b8d1cb5e22..56c79988fd 100644
--- a/lib/priority_options.gperf
+++ b/lib/priority_options.gperf
@@ -34,3 +34,4 @@ PROFILE_ULTRA, enable_profile_ultra
 PROFILE_SUITEB128, enable_profile_suiteb128
 PROFILE_SUITEB192, enable_profile_suiteb192
 NEW_PADDING, dummy_func
+DEBUG_ALLOW_KEY_USAGE_VIOLATIONS, enable_server_key_usage_violations